ACL's in Cisco won't block Interfaces when using NAT

[dslguide]

Hi!
I have a Cisco 2611 with the following hardware:

2 Ethernet/IEEE 802.3 interface(s)
1 Serial network interface(s)
32K bytes of non-volatile configuration memory.
16384K bytes of processor board System flash.

My connectivity is through a full T1 and I have a C block. I initialized NAT about a year ago and it works fine. But, on E0/0 I have a mail server that is statically mapped. I wan't to block all incomming and outgoing traffic between these two ports so that I can have another server on a seperate broadcast domain. I'm not sure what I'm doing wrong but no matter what I try I can't keep E0/0 from seeing E0/1 while I'm using NAT. My Access Lists simply do not work when it comes to this... They work blocking everything else... Except these two interfaces from seeing each other.

 

[ciscoexpert]

I guess this is due to the order of operation of NAT.

Probably the catch is in your access-list. When a packet comes from outside to the mail server (sitting on inside), and if the outside interface has an access-list configured, the access-list is checked first. Now the destination address on the packet is the public IP of the mail server and not the private IP. (because the packet has not reached NAT process)

access-list 101 permit tcp any host x.x.x.x eq pop3
access-list 101 permit tcp any host x.x.x.x eq smtp
access-list 101 deny ip any host x.x.x.x
access-list 101 permit ip any any


The first two statements allow pop3 and smtp access to the mail server. The third line denies access to mail server.
Last line is important for permitting other traffic.

Note that x.x.x.x is the public IP of mail server and not the private IP.

This access-list should be applied inbound on the outside interface.

Hope that helps!

Sankar Nair
General Datatech l.p.

http://www.generaldatatech.com

 

[tschouten]

Agrees with Sankar (CiscoExpert).